Update on recent cyber prosecutions/stings

by Robinson+Cole Data Privacy + Security Insider

The feds keep chipping away at those thieves and hackers and we are pleased to showcase the recent results of their hard work.

Computer Hacking and Sexual Extortion

On December 9, 2015, the U.S. Attorney’s Office of the Northern District of Georgia announced that a former U.S. State Department employee employed at the U.S. Embassy in London, pled guilty to “perpetrating a widespread, international e-mail phishing, computer hacking, and cyberstalking scheme against hundreds of women in the United States and abroad. Using e-mail passwords obtained by phishing, he hacked into hundreds of victims’ e-mail and social media accounts, stole thousands of sexually explicit photographs, and threatened at least 75 victims that he would release their photos and other personal information unless they agreed to his ‘sextortionate’ demands.

He “tormented” his victims, mostly young females with a focus on members of sororities or aspiring models, by “threatening to humiliate them unless they provided him with sexually explicit photos and videos.”

He posed as an employee of an “account deletion team” for a well-known e-mail service provider and sent phishing emails to thousands of women warning them that their e-mail account would be deleted if they didn’t give him their password. If they gave their password, he then hacked into their e-mail account and social media account and searched for sexually explicit photographs. If he found them, he searched for personally identifiable information about them, including their home and work addresses, school and employment information and names and contact information of family members.

He then threatened the women that if they didn’t give him photos or videos, he would release the photo. If they refused to comply, he would tell them that he knew where they lived, and did in fact send some of the information to family members.

He successfully hacked into 450 online accounts belonging to at least 200 victims. He will be sentenced on February 16, 2016. The U.S. Attorney’s Office reminds anyone who believes they are a victim of hacking, cyberstalking or ‘sextortion’ should contact law enforcement.

Employee theft of trade secrets

Last week, the U.S. Attorney for the Southern District of New York and the New York FBI Office announced that Xu Jiaqiang has been arrested for theft of a trade secret of proprietary source code from his former employer.

According to the allegations, Xu worked as a developer for an unnamed software company and had access to proprietary software and underlying source code of a clustered file system. The company only provided access to the proprietary code to authorized individuals.

Xu resigned from the company and started communicating with undercover law enforcement officers posing as financial investors looking to start a big data storage company. He sent the officers code from his previous employer and remotely installed the proprietary software on networks set up by the FBI, which was confirmed to be functioning software of the previous employer.

Xu admitted to undercover law enforcement that he had used the code to build a copy of the proprietary software to sell to customers. He has been charged with one count of theft of a trade secret, which carries a maximum sentence of ten years in prison. He is being prosecuted by the U.S. Attorneys’ Terrorism and International Narcotics Unit and the National Security Divisions’ Counterintelligence and Export Control Section. Impressive work!
On Tuesday, December 15, 2015, the U.S. Attorney of the District of New Jersey announced that three alleged hackers from Florida, New Jersey and Maryland were charged with a “wide-ranging computer hacking and identity theft scheme that compromised the personally identifiable information (PII) of millions of people and generated more that $2 million in legal profits.”

The individuals were charged with conspiracy to commit wire fraud and conspiracy to commit fraud with electronic mail.

The allegations include writing computer programs that conceal the origin of the email in order to bypass spam filters. They allegedly hacked into the email accounts of individuals and seized control of the mail servers of corporations. Further, they created custom software “that leveraged vulnerabilities in the websites of a number of corporations” which allowed them send out spam that looked like it came from the company. Finally, they stole confidential business information of corporations, including databases containing millions of individuals’ PII, one of which was the employer of one of the alleged hackers. The hacker gave access to the employer’s system to the other hacker through a remote administration tool so they could steal the names, addresses, telephone numbers, and email addresses of former, current and potential customers.

The hackers face a maximum of five years in prison and a fine of greater that $250,000 or twice the gain or loss from the offense for conspiracy to commit fraud and related activity in connection with computers, 20 years in prison and a similar fine for conspiracy to commit wire fraud and 5 years in prison and the same fine for conspiracy to commit fraud and related activity in connection with email.

There is also a request for forfeiture of close to $300,000 in bank accounts, a 2006 Ferrari convertible and a 2009 Cadillac SUV.

Destroying, altering and falsifying medical records

On December 10, 2015, a former Department of Veterans Affairs nurse pled guilty in the Southern District of Florida to “destroying, altering and falsifying records and committing computer fraud.” He faces up to 20 years in prison.

The nurse caused damage to the VA Medical Center in Miami, Florida’s computer system when he falsified the medical records of a 76 year old veteran with whom he had a treating relationship. The patient died, and the nurse tried to cover up the poor quality of treatment he received by attempting to falsify the records. He will be sentenced on February 19th.

Member of “NullCrew” pleads guilty

The U.S. Attorney’s Office in the Northern District of Illinois announced on December 8, 2015 that a member of the hacking group “NullCrew” pled guilty to charges that he “helped launch cyber-attacks on corporations, universities and governmental entities throughout the world.”

He pled guilty to one count of intentionally damaging a protected computer without authorization, which carries a maximum of 10 years in prison. He admitted that he participated in at least seven cyber-attacks while a member of NullCrew, including one against a large Canadian telecommunications company and another against a U.S. state. He will be sentenced on March 9, 2015.

We highlight these prosecutions for several reasons. First, the facts are important to understand as they are real life scenarios that happen every day against individuals and companies and can serve as lessons to learn from. Second, law enforcement is working hard to combat cybercrimes, and victims might want to consider bringing law enforcement into investigations and collaborate with the government to combat cybercrime. Finally, it is good to know that the thieves and hackers are seeing and feeling the consequences. We will continue to update you on the good work of law enforcement in bringing these thieves and hackers to justice.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.